Data Privacy Statement

Data Privacy Statement

I. Name and address of the responsible person/entity

The responsible person/entity within the meaning of the EU General Data Protection Regulation and other national data protection laws of the member states as well as of any other data privacy regulations is:

Kludi GmbH & Co. KG Am Vogelsang 31-33 58706 Menden Germany

II. Data protection commissioner

The company has appointed a data protection commissioner who you can contact by e-mail at [email protected] or via the contact data referred to in Item 1. To postal addresses, please add the words “Data Protection – private/confidential”.

III. General information on data protection

As a service provider (hereinafter referred to as the “Provider”), Kludi GmbH & Co. KG takes the obligation to protect your personal data very seriously. As a matter of course, we adhere to the provisions of any applicable data protection laws. The use of incoming data is based exclusively on the respective particular purpose. As a basic principle, your personal data will only be recorded and processed as far as this is necessary for the provision of a functioning website and for the provision of our contents and services.

As the person/entity responsible for data processing, the Provider has implemented numerous technical and organisational measures to ensure a level of protection of the personal data processed via this website that is as complete and consistent as possible. Nevertheless, security gaps may occur in principle in Internet-based data transmissions, so that absolute protection cannot be guaranteed.

Personal data is only made available to persons who have been informed about the applicable statutory regulations on data protection and have undertaken to comply with these regulations. With these terms we notify you in our capacity as the Provider about which of your personal data we collect and how we handle your personal data in our capacity as the Provider:

IV. Definition of terms

The Data Privacy Statement of Kludi GmbH & Co. KG is based on the terms used by the European institutions responsible for legislation and the enactment of regulations while issuing the EU General Data Protection Regulation. Our Data Privacy Statement shall be easily readable and comprehensible both for the general public and for our customers and business partners. To ensure such comprehensibility, we wish to explain the terms used in advance.

In this Data Privacy Statement, we use the following terms amongst others:

1. Personal data

Personal data is any information that relates to an identified or identifiable private individual (hereinafter referred to as the “person concerned”). A private individual is regarded as identifiable if he / she can be identified, directly or indirectly, especially by means of allocation to identifying information such as a name, an identification number, location data, online identification or to one or several particular characteristics that represent an expression of the physical, physiological, genetic, psychological, economic, cultural or social identity of that private individual.

2. Person concerned

The person concerned is any identified or identifiable private individual whose personal data are processed by the person/entity responsible for data processing.

3. Data processing

Data processing is any process conducted with or without the help of automated procedures, or any such series of processes in relation to personal data such as the collection, recording, organisation, arrangement, storage, adjustment or modification as well as the selection, retrieval, utilisation, disclosure through transmission, dissemination or any other form of data provision, comparison or connection, restriction, deletion or destruction of the data.

4. Restriction of data processing

The restriction of data processing is the marking of stored personal data with the objective of restricting their future processing.

5. Profiling

Profiling is any kind of automated processing of personal data consisting in the circumstance that these personal data are used to assess certain personal aspects in relation to a private individual, in particular to analyse or predict aspects concerning the work performance, the financial situation, the health, the personal predilections, the interests, the reliability, the behaviour, the whereabouts or the change of location of this private individual.

6. Pseudonymisation

Pseudonymisation is the processing of personal data in a manner, in which the personal data cannot be allocated anymore to any specific person concerned without the consideration/consultation of additional information, provided this additional information is stored separately and subject to technical and organisational measures, which guarantee that the personal data are not allocated to any identified or identifiable private individual.

The responsible person/entity or person/entity responsible for data processing is the private individual or legal entity, public authority, institution or other entity that decides, alone or together with others, on the purposes and means of personal data processing. Where the purposes and means of such data processing are predetermined by EU law or the law of the member states, the responsible person/entity or the specific criteria of his/her/its appointment may be stipulated under EU law or under the law of the member states.

8. Commissioned data processor

The commissioned data processor is a private individual or legal entity, public authority, institution or other entity that processes personal data on behalf of the responsible person/entity.

9. Recipient

The recipient is a private individual or legal entity, public authority, institution or other entity, to which personal data are disclosed, regardless of whether or not the recipient is a third party. Public authorities, which possibly receive personal data in the framework of a certain investigation order under EU law or under the law of the member states, shall not be considered however as being recipients.

10. Third party

A third party is a private individual or legal entity, public authority, institution or other entity except for the person concerned, the responsible person/entity, the commissioned data processor and the persons authorised, under immediate responsibility of the responsible person/entity or the commissioned data processor, to process the personal data.

11. Consent

Consent is any indication of intent given voluntarily by the person concerned for the specific case in an informed and unmistakeable manner in the form of a statement or other unequivocally confirming act, by which the person concerned indicates that he/she agrees to the processing of personal data that relate to him/her.

V. Legal basis for the processing of personal data

As far as the Provider obtains consent from the person concerned with the data processing activities in relation to personal data, Article 6 Subsection 1 Letter a of the EU General Data Protection Regulation serves as the legal basis.

In regards to the processing of personal data that is required to fulfil a contract, of which the person concerned is a contracting party, Article 6 Subsection 1 Letter b of the EU General Data Protection Regulation serves as the legal basis. This also refers to data processing activities required for the implementation of pre-contractual measures.

As far as the processing of personal data is required to fulfil a legal obligation, which our company is subject to, Article 6 Subsection 1 Letter c of the EU General Data Protection Regulation serves as the legal basis.

In the event that vital interests of the person concerned or another private individual require the processing of personal data, Article 6 Subsection 1 Letter d of the EU General Data Protection Regulation serves as the legal basis.

If the data processing is required to protect a legitimate interest of the Provider or a third party and if the interests, basic rights and basic freedoms of the person concerned do not outweigh the aforementioned interest. Article 6 Subsection 1 Letter f of the EU General Data Protection Regulation serves here as the legal basis.

VI. Data deletion and storage period

The personal data of the person concerned will be deleted or blocked once the purpose of storage has ceased to apply. Storage beyond that point in time may result if stipulated accordingly by the European or national legislator in EU regulations, laws or other provisions, which the Provider is subject to. Blocking or deletion of the data will result as well if the stipulated storage period expires as a result of the aforementioned norms/regulations, unless further storage of the data is necessary for the purpose of contract conclusion or contract performance.

VII. Collection, processing and utilisation of personal data

1. Provision of the website and creation of log files

Whenever our website is retrieved, our system automatically records data and information from the computer system of the retrieving computer.

The following data are collected in this context:

(1)Information on the browser type and version used

(2)User’s operating system

(3)User’s IP address

(4)Date and time of retrieval

(5)URL of the referring website

(6)The file retrieved

(7)The volume of data transmitted

The data are likewise stored in the log files of our system. Any storage of these data together with other personal data of the user does not take place.

The legal basis for the temporary storage of the data and the log files is Article 6 Subsection 1 Letter f of the EU General Data Protection Regulation.

The temporary storage of the IP address by the system is necessary to render possible the delivery of the website to the user’s computer. For this purpose, the user’s IP address has to be stored over the duration of the session.

The storage in log files results to ensure the functional capability of the website. In addition, the data help us optimise the website and ensure the security of our information technology systems. Within this context, there is no evaluation of the data for marketing purposes.

The legal basis for processing of the data is Article 6 Subsection 1 Letter f of the EU General Data Protection Regulation, as a legitimate interest of the company arises from the aforementioned purpose. In our opinion, there are no interests of the person concerned that would outweigh our respective interests.

The data will be deleted as soon as they are no longer necessary to achieve the purpose of their collection. This is the case once the respective session has ended in the event that the data are recorded in order to make the website available.

In the event that the data are stored in log files, this is the case after seven days at the latest. Storage beyond these points or periods of time is not possible. In this event, the IP addresses of the users will be deleted or alienated, so that allocation of the retrieving client is no longer possible.

The recording of data to make available the website and the storage of data in log files is indispensable for the operation of the web page. As a consequence, there is no possibility for the user to raise objections.

2. Basic data

Where a contractual relationship shall be established, shaped or modified between you and the Provider, the latter will collect and use personal data (name, address, telephone number, e-mail address, account data) from you as far as this is necessary to achieve the purpose of contract performance. In this respect, the legal basis for the processing of data is Article 6 Subsection 1 Letter b of the EU General Data Protection Regulation.

VIII. Newsletter data

On the website of the Provider, there is a possibility to subscribe to a newsletter free of charge. If you wish to receive this newsletter, we require an e-mail address and information from you (such as the IP address of the retrieving computer, and the date and time of registration), which allow us to verify that you are the owner of the aforementioned e-mail address and that you agree with receiving the newsletter. These data are used exclusively for sending the requested information. Further data will not be collected. In relation to the data processing activities performed for sending the newsletter, data are not passed on to third parties.

In the framework of the registration process, your consent to the processing of data will be obtained and this Data Privacy Statement will be referred to. The legal basis for the processing of data after a user has signed up for the newsletter is Article 6 Subsection 1 Letter a of the EU General Data Protection Regulation, provided the user has given his/her consent.

As a registration system, the Provider makes use of the so-called Double Opt-In procedure in order to make sure that you explicitly wish to receive e-mail. In the framework of this Double Opt-In procedure, an additional confirmation e-mail, which contains a confirmation link, will be sent to the e-mail address indicated by you. The newsletter subscription will only be activated once you click on this confirmation link.

You may revoke your consent provided to the storage of the data, the e-mail address and its utilisation for transmission of the newsletter at any time without incurring any costs of transmission other than the basic rates. The Provider will delete your personal data, which it has stored in this respect, at the latest once you object to its further use.

IX. Contact form

On its website, the Provider makes available a contact form, which can be used for making contact electronically. If you seize that opportunity as a user, the data entered in the input mask will be transmitted to and stored by the Provider. This relates to the following personal data: Your name, your postal address, your e-mail address and, optionally, your telephone and fax number. No data are forwarded to third parties in this context. The data are used exclusively for the purpose of processing the inquiry/request.

In the framework of the dispatch process, your consent to the processing of data will be obtained, and this Data Privacy Statement will be referred to. The legal basis for the processing of data is Article 6 Subsection 1 Letter a of the EU General Data Protection Regulation, provided the user has given his/her consent. For the Provider, the processing of personal data from the input mask serves exclusively the purpose of processing the initial contact. Once the inquiry/request submitted via the contact form is dealt with, the Provider will delete your personal data stored in that respect.

X. Use of cookies

The Provider uses cookies. Cookies are small text files stored by your web server on the hard disk of your computer without doing damage. Cookies help you to navigate and in this way make it easier for you to use the Provider’s service.

Most of the cookies used by us are so-called “Session Cookies”, which are deleted automatically after the end of your website visit. Other cookies remain stored on your terminal device until you delete them. These cookies enable us to recognise your browser on the occasion of your next visit.

If you wish to prevent cookies from being stored on your computer in the future, please refer to the instructions provided by your browser producer by clicking the browser’s “Help” tab. Please note that if you do delete cookies sent by the Provider or if you deactivate cookies in the future, this may prevent you from accessing certain areas or functions of the Provider’s website. The legal basis for the processing of data after is a legitimate interest of the company pursuant to Article 6 Subsection 1 Letter f of the EU General Data Protection Regulation, as a legitimate interest of the company results from the aforementioned purpose. In our opinion, there are no interests of the person concerned that would outweigh our respective interests.

XI. Transfer of personal data

1. Data transfer to third parties

In no circumstances are personal data leased or sold to third parties for advertising purposes. Personal data are not passed on to third parties for advertising purposes without notification and explicit consent from the customer pursuant to Article 6 Subsection 1 Letter a of the EU General Data Protection Regulation.

2. Disclosure of data to public authorities

Personal customer data will only be disclosed to public authorities, such as public prosecutors and courts if a written and enforceable official or court order is issued and/or in accordance with applicable regulations to the extent that the Provider is required to do so.

XII. Use of Google Analytics

This website makes use of Google Analytics, a web analysis service of Google Inc, (1600 Amphitheatre Parkway Mountain View, CA 94043, USA). This use includes the operating mode Universal Analytics. This renders it possible to allocate data, sessions and interactions across several devices to one pseudonymised User ID and thus to analyse the activities of a user on a cross-device basis.

Google Analytics uses so-called “cookies”, text files that are stored on the user’s computer and that permit an analysis of their utilization of the website. The information generated by the cookie about your use of this website (including your IP address) is sent to and stored on a Google server in the USA. If IP anonymisation is activated on this website, your IP address will be shortened beforehand within the member states of the European Union or other contractual states of the Treaty on the European Economic Area. Only in exceptional cases is the full IP address sent to and truncated on a Google server in the USA. The IP address sent by your browser as part of Google Analytics is not combined with other data held by Google.

Google uses this information on behalf of the website operator to evaluate the way you use the website, to collate reports on website activities and to provide the website operator other services related to website and Internet use. These purposes also constitute our legitimate interest in the data processing.

The legal basis for the use of Google Analytics is § 15 Subsection 3 of the German Telemedia Act (TMG) and Article 6 Subsection 1 Letter f of the EU General Data Protection Regulation. The Provider has a legitimate interest in the analysis of user behaviour in order to optimise both its website/Internet offer and its advertising activities. In our opinion, there are no interests of the person concerned that would outweigh our respective interests. The data transmitted and connected by us with cookies, user identifications (e.g. User ID) or Advertising IDs shall be deleted automatically after 14 months. The deletion of data, the storage period of which has been reached, will take place automatically once a month.

You can change your browser settings to prevent cookies from being stored; however, the Provider draws your attention to the fact that, in these circumstances, you may find that you are unable to make full use of functions on the website. Furthermore, you may prevent the collection of data generated through cookies (incl. your IP address) and related to your use of this website as well as the processing of such data by Google by downloading and installing the browser plug-in that is available (http://tools.google.com/dlpage/gaoptout?hl=en).

Opt-Out Cookies prevent the future recording of your data when you visit this website. To prevent data recording by Universal Analytics across various devices, you will have to implement the Opt-Out Cookie on all the systems used. To set the Opt-Out Cookie, please click here: <a href="javascript:gaOptout()"><strong>Deactivate Google Analytics</strong></a></p>

Furthermore, the Provider uses Google Analytics to evaluate data from AdWords and the DoubleClick Cookie for purely statistical purposes. If you object, you can opt out using Ads Preferences (http://www.google.com/settings/ads/onweb/?hl=en).

As far as the Provider obtains consent from the person concerned with the data processing activities in relation to personal data, Article 6 Subsection 1 Letter a of the EU General Data Protection Regulation serves as the legal basis. In the event that you have furnished the Provider with your consent to the collection, processing or utilisation of your data, the Provider advises you that this consent is revocable at any time, with effect for the future, pursuant to Article 7 Subsection 3 of the EU General Data Protection Regulation without a need to comply with certain formal requirements or time limits.

Consent must be revoked by sending an e-mail to [email protected]. Alternatively, you may also send your revocation by fax or letter. The Provider’s address and fax number are as follows: Kludi GmbH & Co. KG, Am Vogelsang 31–33, 58706 Menden, Germany, telefax: + 49 (0) 23 73 90 44 65. You will be informed by e-mail by the Provider about the content of any consent expressly given by you.

2. Right to deletion

a) Obligation to deletion

You may demand from the Provider to delete any personal data relating to you without delay, and the Provider will be under obligation to delete such data without delay if one of the following reasons is applicable:

(1)The personal data relating to you are no longer necessary for the purposes for which they were collected or otherwise processed.

(2)You revoke your consent, on which the data processing was based pursuant to Article 6 Subsection 1 Letter a or Article 9 Subsection 2 Letter a of the EU General Data Protection Regulation, and another legal basis justifying the data processing is lacking.

(3)You raise an objection to the data processing pursuant to Article 21 Subsection 1 of the EU General Data Protection Regulation, and overriding legitimate reasons for the processing are not in place, or you raise an objection to the data processing pursuant to Article 21 Subsection 2 of the EU General Data Protection Regulation.

(4)The personal data relating to you were processed in an unlawful manner.

(5)The deletion of the personal data relating to you is necessary to fulfil a legal obligation under EU law or the law of the member states, which the Provider is subject to.

(6)The personal data relating to you were collected with reference to services offered by the information society in accordance with Article 8 Subsection 1 of the EU General Data Protection Regulation.

b) Provision of information to third parties

Where the Provider has published the personal data relating to you and is obliged to delete them pursuant to Article 17 Subsection 1 of the EU General Data Protection Regulation, it will take appropriate measures, including technical measures, in consideration of the available technology and the cost of implementation, to provide the persons/entities responsible for data processing, which process the personal data, with information on the circumstance that you as a person concerned have demanded them to delete all links to these personal data or all copies or replications of these personal data.

c) Exceptions

The right to deletion does not apply if the data processing is necessary

(1)to exercise the right of free speech and information;

(2)to fulfil a legal obligation, which necessitates the data processing activities according to EU law or the law of the member states, which the Provider is subject to, or to perform a task in which there is a public interest or which is performed in the exercise of public authority that has been assigned to the person/entity responsible for data processing;

(3)for reasons of a public interest in the area of public health pursuant to Article 9 Subsection 2 Letters h and i and Article 9 Subsection 3 of the EU General Data Protection Regulation;

(4)for archival purposes, scientific purposes or historical research purposes in the public interest, or for statistical purposes pursuant to Article 89 Subsection 1 of the EU General Data Protection Regulation, as far as the right referred to under a) is likely to render the achievement of the objectives of these data processing activities impossible or seriously affect them, or

(5)for the assertion, exercise or defence of legal claims.

3. Right to complain with the responsible supervisory authority

Regardless of any other legal remedy under administrative law or any judicial remedy, you are entitled to lodge a complaint with a supervisory authority, especially in the member state of your place of domicile, your place of work or the place of the presumable infringement, if you are of the opinion that the processing of personal data relating to you is in breach of the EU General Data Protection Regulation.

The supervisory authority, to which the complaint has been submitted, will inform the complainant on the state and outcome of the complaint, including the possibility of a judicial remedy in accordance with Article 78 of the EU General Data Protection Regulation.

The supervisory authority responsible for the Provider is:

Federal State Commissioner for Data Protection and the Freedom of Information in

North Rhine-Westphalia

P.O.B. 20 04 44

40102, Düsseldorf / Germany

Phone: +49 (0) 211/38424-0 Fax: +49 (0) 211/38424-10

4. Right to information

You may demand confirmation from the Provider as to whether the latter processes personal data in relation to you.

Where such data processing activities are conducted, you are entitled to demand the following information from the Provider:

(1)the purposes for which personal data are processed;

(2)the categories of personal data that are processed;

(3)the recipients or categories of recipients, to which the personal data relating to you have been disclosed or will be disclosed in the future;

(4)the scheduled duration of storage of the personal data relating to you or, if specific information thereon is not possible, criteria for the determination of the storage period;

(5)the existence of a right to have the personal data relating to you corrected or deleted, a right to restriction of the data processing by the Provider or a right to raise objections against such data processing;

(6)the existence of the right to lodge a complaint with the supervisory authority;

(7)all available information on the origin of the data if the personal data were not collected from the person concerned;

(8)the existence of an automated decision-making process including profiling pursuant to Article 22 Subsections 1 and 4 of the EU General Data Protection Regulation and – at least in these cases – meaningful information on the involved logic and the impact and intended consequences of such data processing activities for the person concerned.

You are entitled to demand information as to whether the personal data relating to you are transmitted to a third country or an international organisation. In this context, you may demand to be provided with information on the appropriate guarantees pursuant to Article 46 of the EU General Data Protection Regulation in connection with the data transmission.

5. Right to correction

You are entitled to correction and/or completion of your data by the Provider if the processed personal data relating to you is incorrect or incomplete. The Provider shall correct any such data without delay.

6. Right to restriction of the data processing

You are entitled to demand the restriction of the processing of personal data relating to you under the following conditions:

(1)if you dispute the correctness of the personal data relating to you for a period of time, which enables the Provider to review the correctness of the personal data;

(2)if the processing is unlawful and if you reject the deletion of the personal data and instead demand the restriction of utilisation of those personal data;

(3)if the Provider no longer requires the personal data for the purpose of data processing, but if you require these data for the assertion, exercise or defence of legal claims, or

(4)if you have raised an objection to the data processing pursuant to Article 21 Subsection 1 of the EU General Data Protection Regulation and if it is still uncertain whether the legitimate interests of the Provider outweigh your own reasons.

Where the processing of personal data relating to you has been restricted, these data may only be processed – except for their storage – with your consent or for the assertion, exercise or defence of legal claims, or for the protection of the rights of another private individual or legal entity, or for reasons relating to a significant public interest of the EU or a member state.

Where the restriction of personal data processing itself has been restricted in accordance with the aforementioned prerequisites, you shall be notified by the Provider before the restriction is lifted.

7. Right to notification

If you have asserted the right to correction, deletion or restriction of data processing vis-à-vis the Provider, the latter will be under obligation to communicate this correction or deletion of data or the restriction of data processing to all recipients, to which the personal data relating to you have been disclosed, unless it turns out that this is impossible or requires disproportionate expenditure.

You are entitled to be notified by the Provider on the Provider’s provision of corresponding information to such recipients.

8. Right of data portability

You are entitled to receive the personal data relating to you, which you have made available to the Provider, in a structured, well-established and machine-readable format. In addition, you are entitled to transmit these data to any other person/entity responsible for data processing without any obstruction by the Provider, to which the personal data have been made available, if

(1)the data processing is based on consent pursuant to Article 6 Subsection 1 Letter a of the EU General Data Protection Regulation or Article 9 Subsection 2 Letter a of the EU General Data Protection Regulation or on a contract pursuant to Article 6 Subsection 1 Letter b of the EU General Data Protection Regulation, and

(2)the data is processed by means of automated procedures.

In exercise of this right, you are furthermore entitled to procure that the personal data relating to you is transmitted directly from one person/entity responsible for data processing to another person/entity responsible for data processing as far as this is technically feasible. The freedoms and rights of other people must not be adversely affected by this transmission.

The right of data portability does not apply to any processing of personal data that is necessary to perform a task in the public interest, or to fulfil a task that is performed in the exercise of public authority, which has been assigned to the person /entity responsible for data processing.

9. Right to raise objections

You are entitled, for reasons arising from your particular situation, to raise an objection at any time against the processing of personal data relating to you, which is conducted on the grounds of Article 6 Subsection 1 Letters e or f of the EU General Data Protection Regulation; the same also applies to any profiling activities conducted on the basis of these provisions.

The Provider will cease processing the personal data relating to you unless it is able to provide evidence of compelling reasons for the processing, which must be worthy of protection and outweigh your interests, rights and freedoms, or if the data processing serves to assert, exercise or defend legal claims.

If the personal data relating to you is processed for the purpose of direct advertising activities, you are entitled to raise an objection at any time against the processing of personal data relating to you for the purpose of such advertising activities; the same shall apply to profiling as far as it is connected with such advertising activities.

If you raise an objection against the processing of data for the purpose of direct advertising, the personal data relating to you will not be used anymore for such purposes.

In connection with the utilisation of services of the information society, you have the opportunity – regardless of Regulation 2002/58/EC – to exercise your right of objection through automated procedures that make use of technical specifications.

10. Automated decision in the individual case including profiling

You have the right not to be made subject to any decision based exclusively on automated processing – including profiling – insofar as this decision has legally effective consequences for you or significantly affects you in a similar manner. This shall not apply if

(1)the decision is necessary for the conclusion or performance of a contract between you and the Provider,

(2)it is admissible on the grounds of legal regulations of the European Union or the member states, which the Provider is subject to, and if these legal regulations include appropriate measures to protect your rights and freedoms as well as your legitimate interests, or

(3)the decision is taken with your explicit consent.

However, these decisions must not be based on particular categories of personal data pursuant to Article 9 Subsection 1 of the EU General Data Protection Regulation, unless Article 9 Subsection 2 Letters a or g of the EU General Data Protection Regulation is applicable and appropriate measures have been taken for the protection of rights and freedoms and of your legitimate interests.

In regards to the cases referred to in (1) and (3), the Provider will take appropriate measures to protect the rights and freedoms and your legitimate interests, which shall include at least the right to enforce the intervention from a person on behalf of the Provider, to explain one’s own position and to challenge the decision.